SOLUTION OVERVIEW

CLEARPASS EXCHANGE
Open third party integration for endpoint controls, policy and threat prevention

While billions of Wi-Fi enabled smartphones and tablets

connect to enterprise networks, it’s a major challenge to
ensure security while also delivering an exceptional user
experience without creating a provisioning nightmare.

That challenge is complicated by the fact that IT still relies

on multiple, disparate systems like network access control
(NAC), enterprise mobility management (EMM), policy
management, firewalls, guest management, single sign-on
solutions, helpdesk and trouble-ticketing systems.

IT needs a better way to secure the mobile enterprise.

More importantly, the security products and management
systems that have been deployed must be able to exchange
contextual data and work together to provide increased
visibility from top to bottom.

Aruba ClearPass Exchange supports a wide range of third-party

IT systems, giving you the benefit of a coordinated defense
where all components operate as one fully-integrated system.

MAKE BETTER-INFORMED DECISIONS

As the gatekeeper for incoming access-layer traffic, Aruba
ClearPass performs profiling, authentication and authorization of
users and devices. In this role, ClearPass Policy Manager collects
a wealth of valuable and authoritative contextual data such as:

• The identity of users

• The current status and posture of a device
• The location of the connected user and device

This data is gathered from numerous internal and third-party figure 1.0_081016_clearpassexchange-soa
systems through one-way and bidirectional communication.
To simplify the sharing of context, ClearPass supports data
exchange methods via APIs, Syslog messaging, and the use of
an integrated respository called ClearPass Extensions.

For example, using XML APIs, ClearPass can poll EMM systems
for a variety of device information, including manufacturer
and model, encryption status, blacklisted and whitelisted
applications, and jailbroken status. When EMM systems detect
policy violations, they are incorporated into ClearPass policy
decision making.
 SOLUTION OVERVIEW
CLEARPASS EXCHANGE

SOME OF OUR TRANSACTION PARTNERS Why share context?

After the access decision is made, the contextual data that
ClearPass collects is shared with other systems to help
protect your network or to deploy a new service.

ClearPass integrates with existing security, transaction or

authentication systems that are on-premise or in the
cloud. Customers benefit from the ability to integrate their
own systems.

For example, Aruba has prepackaged an exchange of

information with the Palo Alto Networks next-generation
firewall to strengthen security by enforcing app-level policies
more accurately. Likewise, SIEM solutions like Splunk and
ArcSight can archive access connectivity data and trigger
ClearPass to perform endpoint remediation actions based on
unexpected endpoint activity.

ClearPass can also interact with non-network IT systems and

helpdesk tools to automatically create and populate tickets
figure 1.0b_081016_clearpassexchange-soa
SOME OF OUR AUTHENTICATION PARTNERS with information about a specific user, device and location in
the event of an authentication failure.

It’s even possible to add mobility context to other IT

workflows by extending network, device and user intelligence
to cloud-based services such as Twilio, ServiceNow, and
Nearbuy/RetailNext.

The result is improved automation, user satisfaction and less

time spent on manual IT tasks. Just imagine what else you
can do now that the mobility infrastructure is communicating
with your security and business systems.

SOME OF OUR NOTIFICATION PARTNERS

figure 1.0c_081016_clearpassexchange-soa

figure 1.0d_081016_clearpassexchange-soa
 SOLUTION OVERVIEW
CLEARPASS EXCHANGE

THE POWER In addition to custom integration, Aruba works with industry-leading partners to
natively integrate ClearPass with EMM, firewalls, single sign-on, and many other

OF PARTNERS systems, right out of the box.

ENTERPRISE MOBILITY MANAGEMENT
Integrating EMM with a NAC system is critical as BYOD and
Internet-of-things (IoT) proliferate in the workplace. EMM
systems share contextual data about devices and makes it
easier to enforce network policies using attributes gathered
by an EMM agent.
ClearPass offers rich bidirectional integration with multiple Tier
1 EMM vendors, including MobileIron, AirWatch by VMware,
Citrix XenMobile, JAMF Software, IBM, SOTI, and SAP Afaria.
If a user fails to authenticate with the network multiple
times, ClearPass can trigger an EMM system to send a
notification message directly to the device and trigger the
network to automatically quarantine the device or take other
corrective action.
Conversely, device posture assessments performed by
EMM systems for missing agents as well as blacklisted
applications can trigger ClearPass access enforcement,
remediation and notifications.

For example, EMM can tell the ClearPass server about a This built-in EMM integration ensures that ClearPass has
device’s posture, its OS version, the apps running, who owns the necessary device posture information to make the best
the device, whether the device is personal or corporate- network access decisions. Additional notifications and value-
owned, and other information. added policy events can also be triggered.

This detailed contextual information enables ClearPass to

determine whether to allow the device to connect to the
network, what resources it is allowed to access once it connects,
and actions that the device can perform while connected.

JAILBREAK DETECTION WORKFLOW

1 2
JAIL-BROKEN HELPDESK NOTIFICATION
DEVICE DETECTED AUTO GENERATED

3
MESSAGE TO DEVICE
AUTO GENERATED

figure 2.0_081016_clearpassexchange-soa
 SOLUTION OVERVIEW
CLEARPASS EXCHANGE

NEXT-GENERATION FIREWALLS
Next-generation firewalls feature traffic classification that
natively inspects all apps, threats and content. ClearPass
integration extends the policy enforcement capabilities of
these firewalls beyond simple IP address and directory-based
user identity information.
ClearPass integration with firewalls lets you give an iPad user
external web browsing privileges to access webmail and
social sites, while restricting that same user on a company-
issued laptop to external web browsing with no access to
webmail and social sites.

Now you can enforce policies based on user and device,

guest network, and non-directory identity information.
This is crucial to handle the volume and diversity of devices
that connect to enterprise networks, and ensures that
enforcement rules are applied correctly.

AN EXAMPLE OF ENHANCED POLICY ENFORCEMENT

WITH PALO ALTO NETWORKS FIREWALLS

1
USER AND DEVICE
AUTHENTICATION

2
USER AND DEVICE INFORMATION
SENT TO FIREWALL

PALO ALTO NETWORKS

4 NEXT-GEN FIREWALL
APPLICATION TRAFFIC

3
TRAFFIC ENFORCEMENT BY
USER AND DEVICE TYPE

figure 3.0_081016_clearpassexchange-soa
 SOLUTION OVERVIEW
CLEARPASS EXCHANGE

SECURITY INCIDENT EVENT MANAGEMENT (SIEM)
SIEM systems let you aggregate all security events for data
correlation and possible coordinated enforcement actions
with other systems. Sharing NAC/AAA data with these
solutions is essential to any access layer security strategy.
Additionally, ClearPass integration with SIEMs makes it easy
to track authentication requests, failures and alerts, policy
enforcement trends – such as the Top 10 most frequent
enforcement profiles applied – endpoint profiles, session
details, and other useful information.

ClearPass integrates with SIEM systems like QRadar, ArcSight

and Splunk to share session logs, audit events, event records
and other syslog data. Contextual data shared by ClearPass
enables SIEM systems to rapidly pinpoint security threats
and policy violations.

AN EXAMPLE OF SECURITY ANALYTICS

AND INCIDENT MANAGEMENT

1 1

FIREWALL

3
1
1 3 EMM/MDM
REAL-TIME EVENT LOGS QUARANTINE HIGH
RISK CONNECTIONS
2
PINPOINT AND CORRELATE
THREATS/VIOLATIONS

figure 4.0_081016_clearpassexchange-soa
 SOLUTION OVERVIEW
CLEARPASS EXCHANGE

BUILDING AN ADAPTIVE DEFENSE

Integration between best-of-breed IT systems, including the
sharing of contextual information, is the key to a coordinated
defense. It’s the type of security that is needed in today’s
mobile enterprise, where more and more Wi-Fi-enabled
mobile devices are connecting inside and outside of your
enterprise security perimeter.

Instead of taking a siloed approach where your existing

systems are blind to each other’s actions, ClearPass
Exchange provides bidirectional visibility through the power
of integration.

With ClearPass, it’s easy to integrate a variety of systems –

from access layer, EMM and network security products to
hospitality, payment and messaging systems – and trigger
http-based workflow actions with the open platform of
your choosing.

IT benefits from greatly enhanced workflow automation.

End users benefit from self-service and a vastly improved
user experience. And above all, your enterprise benefits
from coordinated, adaptive security that’s purpose-built for
today’s dynamic and highly mobile environment.

1344 CROSSMAN AVE | SUNNYVALE, CA 94089

1.844.473.2782 | T: 1.408.227.4500 | FAX: 1.408.227.4550 | INFO@ARUBANETWORKS.COM

www.arubanetworks.com SO_ClearPassExchange_113016